Security

General discussion

The Six Dumbest Ideas in Computer Security

This came in a security newsletter I recieve. I read it and some of the ideas I thought were pretty obvious to me, yet some others made me have to think about them for a while as they are counter the conventional "wisdome" about computer security.

"Marcus Ranum released any interesting editorial entitled "The Six Dumbest Ideas in Computer Security." He gives his views on common security misconceptions that seem to be perpetuated throughout corporate IT environments. You can read this and other editorials at:http://www.ranum.com/security/computer_security/editorials/dumb/"

After reading this, what is your take? Are we just chasing our tails so vendors can continue to make a profit?

All Comments

Several good points

Read this earlier today, and I found some very good points within, especially the notion of "Enumerating Badness" as a stupid premise. Why have security software that must maintain a list of thousands of harmful programs to block--which must be constantly updated--instead of simply allowing only authorized programs to run. Great idea in principle, though I expect the application would be difficult, especially at the home user level.

The idea goes off the rails in the "block all attachments" rants, because I legitimately receive exe files and have the good sense to know which ones to run and which not to. Some of these extreme countermeasures could easily toss out the baby with the bath water.

Quarantined attachments

The article simply said that it is possible to put email attachments on a system that will make it more difficult for viruses to compromise. The scheme that he proposed said that the email attachments would be stripped from the email body and stored on a special server. The end user could log in to the special server to view or retrieve the email attachment.

Good Idea

major companies' headquarters where I used to work does this. educating users only helps slightly. They will still try to download spyware screensavers, open attachments, visit pages that do surreptitious installs, etc.

But you still should educate

We find our travelling roadshow for small businesses (1 hour plain English PowerPoint of what the problems of allowing staff to indiscriminitly email, IM and surf are). DRAMATICALLY reduces support requirement for stupid stuff. If only because they now understand how the kids have screwed up their home machines and they got hit in the pocket to fix them. The hit in thwe pocket lesson transfers to the workplace - for about 6 months. Then it needs re-inforcing.

If only the MS "Limited" account was really such a thing......... I like this guy's approach and arguments.

Stupid is as Stupid does!

I agree wholeheartily, one of my job roles is to train our sales staff on pc components. They still come up with some interesting ideas. Never the less the saying of forest Gump remains one of my favourites....

Every time you idiot-proof, they come up with a better idiot

I have, unfortunately, had mixed results with educating users. Some years ago, we worked with everyone in the company to try to make them concerned with password security. A few weeks after the last of the classes, we ran a test. We sent out an e-mail purporting to come from a new system administrator. In essence, it said

Hi, I've just started as a computer administrator here at <company>. In order for me to keep the records up-to-date, please give me the following:ID:

Mainframe system(s):

Mainframe password:

Unix systems(s):

Unix password:

E-mail password:

In our company, each user has a unique ID which is the same for mainframe, Unix, or e-mail. (Or the NT LAN, but the password for that is the same as the e-mail password.) Thus, Joe Bloggs would be "jbloggs" no matter where he logged in. BTW, Unix administration, mainframe administration, and e-mail administration are handled by three completely different groups.

Out of 2400 users, sixteen sent in their passwords, one department head not only e-mailed his password, but also clicked on "Reply to all", so every user in the company got his message, and 627 people called either the help desk or the security group to complain that someone was trying to get their passwords.

Try this one . . .

I work for a government agency that (when our network was originally rolled out - about 15 years ago) upheld the requirement that we provide our supervisors our passwords so they could access our stuff if we "were out." Never mind the fact that the I.T. department could change the password and allow access on a supervisor's/department head's request. This was encountered in a City Attorney's office. So much for password protection, they were kept on a list in the supervisor's desk.

actually . . .

The article said to quarantine at a staging server and allow end-users to retrieve attachments from there, as you stated, but it also said to throw out all executables right off the top. I think it was only with that last bit that the Trivia Geek took exception.

Ideas like this MUST be heard

One thing we know for sure: the current security situation to which we have evolved is a mess. It was founded on archaic concepts from a simpler time. It didn't evolve in the right direction, so it needs to be overhauled.

The major players (Microsoft, etc.) must look into finding creative and flexible ways for administrators to identify trusted software (and probably with different levels of trust), and those, and those only, run on the computer.

Recieving exe files

If there IS a valid reason to send a program via email rather than downloading it, I make the sender modify the extention to just .ex.

The reciever must then manually modify it back to the .exe, and because of this process I KNOW what it is and am always expecting that executable.

As you are in Tech, and my users are not, this would happen much less frequently for us than it would for you. While a hassle, it does save me from the "well, I got an attachment so I HAD to see what it was".

Create a new discussion

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Post type

Subject title

Topic Tags

Select up to 3 tags (1 tag required)

Cloud

Piracy

Security

Apple

Microsoft

IT Employment

Google

Open Source

Mobility

Social Enterprise

Community

Smartphones

Operating Systems

Windows

Mac

Malware

Tablets

Networking

Browser

Hardware

Software

Web Developerment

Linux

Off Topic

Message Body

Track this discussion and email me when there are updates

Please note: Do not post advertisements, offensive material, profanity, or personal attacks. Please remember to be considerate of other members. If you're new to the TechRepublic Forums, please read our TechRepublic Forums FAQ. All submitted content is subject to our Terms Of Use.